OpenSIPS · vladpaiu · Dec 11, 2025
diff --git a/modules/tls_wolfssl/doc/tls_wolfssl_admin.xml b/modules/tls_wolfssl/doc/tls_wolfssl_admin.xml
@@ -76,4 +76,33 @@
 	</section>
 	</section>
 
+	<section>
+		<title>&osips; Exported parameters</title>
+		<para>
+		All these parameters can be used from the opensips.cfg file,
+		to configure the behavior of &osips;-TLS.
+		</para>
+
+		<section id="param_try_use_ktls" xreflabel="try_use_ktls">
+			<title><varname>try_use_ktls</varname> (integer)</title>
+			<para>
+			Try to use KTLS for RX and TX ( dependent on Kernel support and loaded modules https://docs.kernel.org/networking/tls-offload.htm )
+			If kernel support is not found, or if the cypher attempted to be used is not supported ( only AES-GCM for now ), then SSL operations will continue to be done in user-space.
+			IF NIC supports SSL offloading, that can also be enabled without any changes needed to the module https://docs.nvidia.com/doca/sdk/ktls-offloads/index.html
+			</para>
+			<para>
+				Default value is <emphasis>0</emphasis>.
+			</para>
+			<example>
+				<title>Set <varname>try_use_ktls</varname> variable</title>
+				<programlisting format="linespecific">
+...
+modparam("tls_wolfssl", "try_use_ktls", "0")
+...
+				</programlisting>
+			</example>
+		</section>
+	</section>
+
+
 </chapter>
diff --git a/modules/tls_wolfssl/wolfssl.c b/modules/tls_wolfssl/wolfssl.c
@@ -35,6 +35,7 @@
 #include "../../dprint.h"
 #include "../../mem/shm_mem.h"
 #include "../../sr_module.h"
+#include "../../modparam.h"
 #include "../../locking.h"
 #include "../../pt.h"
 #include "../../net/tcp_conn_defs.h"
@@ -92,23 +93,29 @@ int _wolfssl_tls_var_check_cert(int ind, void *ssl, str *str_res, int *int_res);
 int _wolfssl_tls_var_validity(int ind, void *ssl, str *res);
 
 int ssl_versions[SSL_VERSIONS_SIZE];
+int wolfssl_try_use_ktls;
 
 static const cmd_export_t cmds[] = {
 	{"load_tls_wolfssl", (cmd_function)load_tls_wolfssl,
 		{{0,0,0}}, ALL_ROUTES},
 	{0,0,{{0,0,0}},0}
 };
 
+static param_export_t mod_params[] = {
+	{"try_use_ktls", INT_PARAM, &wolfssl_try_use_ktls},
+	{0, 0, 0}
+};
+
 struct module_exports exports = {
 	"tls_wolfssl",  /* module name*/
 	MOD_TYPE_DEFAULT,/* class of this module */
 	MODULE_VERSION,
 	DEFAULT_DLFLAGS, /* dlopen flags */
-	0,				 /* load function */
+	0,          /* load function */
 	0,          /* OpenSIPS module dependencies */
-	cmds,          /* exported functions */
+	cmds,       /* exported functions */
 	0,          /* exported async functions */
-	0,          /* module parameters */
+	mod_params, /* module parameters */
 	0,          /* exported statistics */
 	0,          /* exported MI functions */
 	0,          /* exported pseudo-variables */
@@ -190,6 +197,9 @@ static int mod_init(void)
 
 	_wolfssl_show_ciphers();
 
+	if (wolfssl_try_use_ktls)
+		LM_INFO("KTLS requested: will try to offload TLS TX to the kernel when possible\n");
+
 #ifdef __WOLFSSL_ON_EXIT
        on_exit(_wolfssl_on_exit, NULL);
 #endif

diff --git a/modules/tls_wolfssl/wolfssl.h b/modules/tls_wolfssl/wolfssl.h
@@ -27,6 +27,9 @@
 struct _WOLFSSL {
 	WOLFSSL *read_ssl;
 	WOLFSSL *write_ssl;
+	unsigned char ktls_tx;
+	unsigned char ktls_rx;
+	unsigned char ktls_ulp;
 };
 
 #define _WOLFSSL_READ_SSL(_ssl) \
@@ -39,3 +42,4 @@ struct _WOLFSSL {
 #define SSL_VERSIONS_SIZE 4
 
 extern int ssl_versions[SSL_VERSIONS_SIZE];
+extern int wolfssl_try_use_ktls;